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DETAILED ACTION 

1 . In response to amendment filed on 22 July 2009 and Examiner Initiated Interview on 1 8 
November 2009. Amendments to the claims are accepted. 

2. An examiner's amendment to the record is attached. Please enter entire claim set. Should 
the changes and/or additions be unacceptable to applicant, an amendment may be filed as 
provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be 
submitted no later than the payment of the issue fee. The examiner's amendment was authorized 
by attorney of record David M. Longo in phone interview on 18 November 2009 and confirming 
email sent on 20 November 2009. 

Response to Arguments 

3 Applicant's arguments filed 22 July 2009 have been fully considered and they are 
persuasive. 

Allowable Subject Matter 

4. Claims 1, 3-9, 12-38, 40-45, and 48-81, are allowed. 

Conclusion 

5. Any comments considered necessary by applicant must be submitted no later than the 
payment of the issue fee and, to avoid processing delays, should preferably accompany the issue 
fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for 
Allowance". 

6. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Ellen C Tran whose telephone number is 

(571) 272-3842. The examiner can normally be reached from 7:30 am to 4:00 pm. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nasser Moazzami can be reached on (571) 272-4195. The fax phone number for the 
organization where this application or proceeding is assigned is (571) 273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 



/ELLEN TRAN/ 

Primary Examiner, Art Unit 2433 

21 November 2009 



Application/Control Number: 10/749,558 Page 4 

Art Unit: 2433 

Examiner's Amendment 

This listing of the claims will replace all prior versions and listings of the claims in the 
application: 



Listing of Claims : 



1 . (Currently Amended) A personal authentication device (PAD) comprising: 

at least one storage medium storing at least one CA public key, each public key associated 
with a certificate authority (CA); 

one or more input means for receiving one or more digital certificates, wherein the one or 
more digital certificates comprise at least one ticket-generation certificate including at least 
one service key generating program or information indicating at least one service key 
generating program; 

a processing component for 

authenticating the one or more received digital certificates using the at least one stored CA 
public key, and 

generating at least one service key based on the one or more authenticated digital 
certificates; and 

an output means for outputting the at least one service key a 

wherein the at least one storage medium comprises at least one component for storing a 
PAD private key associated with the PAD and used by the PAD to authenticate the PAD to a 
user, and 

wherein the one or more input means comprises at least one component for receiving a 
PAD authentication request from the user; the processing component comprises at least one 
component for responding to the PAD authentication request using the stored PAD private 
key; and the output means comprises at least one component for outputting responses to the 
PAD authentication request . 

2. (Canceled) 

3. (Previously Presented) The personal authentication device (PAD) of claim 1, 
wherein the processing component comprises at least one component for 

authenticating the at least one received ticket-generation certificate using the at least one 
stored CA public key; and 
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if one or more ticket-generation certificates are authenticated, generating the at least one 
service key based on the at least one authenticated service key generating program, wherein 
the at least one service key may be used by a user to obtain access to at least one service. 

4. (Previously Presented) The personal authentication device (PAD) of claim 1, 
wherein the one or more digital certificates further comprise: 

a user-identification certificate comprising information uniquely associated with a user; 

and wherein the processing component comprises at least one component for 

authenticating the received user-identification certificate using the at least one stored CA 
public key; and 

if the user-identification certificate is authenticated, authenticating the user based on the 
authenticated user-identification certificate. 

5. (Original) The personal authentication device (PAD) of claim 4, wherein the one 
or more digital certificates comprises: 

at least one user-qualification certificate indicating at least one service and one or more 
users who may access the at least one service; 

and wherein the processing component comprises at least one component for 

authenticating the at least one received user-qualification certificate based on the at least 
one CA public key, if the user is authenticated; and 

if the at least one user-qualification certificate is authenticated, determining at least one 
service that the authenticated user may have access to based on the at least one authenticated 
user-qualification certificate. 

6. (Original) The personal authentication device (PAD) of claim 1, wherein the at 
least one service key comprises at least one cookie. 

7. (Original) The personal authentication device (PAD) of claim 6, wherein the 
processing component comprises at least one component for: 

generating a one-time key and storing it in PAD; 

based on the one-time key, generating the at least one cookie and sending the generated 
cookie to the user; 

receiving the previously generated the at least one cookie, and validating the received 
cookie using the stored one-time key; and 

if the received cookie is successfully validated, invalidating the one-time key used in the 
cookie validation, generating a new one-time key and storing it in PAD, and based on the 
new one-time key, generating a new cookie and sending the new cookie to the user. 
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8. (Original) The personal authentication device (PAD) of claim 6, wherein the 
content in the one or more cookies comprises usage counts indicating the number of times 
one or more users have used one or more services. 

9. (Original) The personal authentication device (PAD) of claim 5, wherein the one 
or more input means further receives one or more certificates comprising information for 
granting the user access to at least one additional service based on the at least one service. 

10. -11. (Cancelled) 

12. (Currently Amended) The personal authentication device (PAD) of claim [[10]] 
I, wherein the processing component comprises at least one component for signing the at 
least one service key using the stored PAD private key. 

13. (Currently Amended) The personal authentication device (PAD) of claim [[10]] 
1, the processing component comprises at least one component for decrypting contents on the 
one or more received digital certificates using the stored PAD private key, wherein the 
contents are encrypted with the corresponding PAD public key. 

14. (Original) The personal authentication device (PAD) of claim 5, wherein the one 
or more digital certificates comprise at least one ticket-generation certificate indicating at 
least one service key generating program corresponding to the at least one service; and 
wherein the processing component comprises at least one component for 

authenticating the at least one ticket-generation certificate using the at least one stored CA 
public key; and 

if one or more ticket-generation certificates are authenticated, generating the at least one 
service key based on the at least one authenticated service key generating program, wherein 
the at least one service key may be used by a user to obtain access to at least one service. 

15. (Original) The personal authentication device (PAD) of claim 4, wherein the one 
or more input means further receives one or more user credentials, and 

the processing component comprises at least one component for 

authenticating the user based on the authenticated user-identification certificate and the one 
or more received user credentials. 

16. (Original) The personal authentication device (PAD) of claim 15, wherein the 
one or more user credentials comprise one or more user private keys. 
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17. (Original) The personal authentication device (PAD) of claim 15, wherein the 
one or more user credentials comprise a personal identification number (PIN) associated with 
the user, or information computed from the PIN. 

18. (Original) The personal authentication device (PAD) of claim 15, wherein the 
one or more user credentials comprise biometric information associated with the user. 

19. (Original) The personal authentication device (PAD) of claim 15, further 
comprising: 

means for disabling the PAD if one or more attempts to authenticate the user based on the 
authenticated user-identification certificate and the one or more user credentials ends in 
failure. 

20. (Original) The personal authentication device (PAD) of claim 1 , wherein the one 
or more digital certificates comprises: 

an operations certificate comprising information for controlling the operations of the PAD 
for a current session. 

21 . (Original) The personal authentication device (PAD) of claim 20, wherein the 
information for controlling the operations of the PAD for a current session comprises one or 
more of the following: information governing input and output of the PAD, challenge and 
response protocols for user and PAD authentication, secure protocols for receiving and 
outputting data, and protocols for PAD management purposes. 

22. (Original) The personal authentication device (PAD) of claim 20, wherein the 
information for controlling the operations of the PAD for a current session comprises 
information governing linking of one or more received certificates, and wherein the 
processing component comprises at least one component for linking of one or more received 
certificates based on one or more certificates comprising information for granting the user 
access to at least one additional service based on the at least one service. 

23. (Original) The personal authentication device (PAD) of claim 1, wherein the one 
or more input means receive one or more signature-verification certificates forming a 
signature-verification chain, wherein each signature- verification certificate in the signature- 
verification chain is signed with the private key of an entity whose public key is certified by 
the preceding signature-verification certificate and wherein the first signature-verification 
certificate in the signature -verification chain is signed by at least one stored CA public key; 
and wherein the processing component comprises at least one component for authenticating 
the one or more received digital certificates based on the last signature -verification certificate 
in the signature-verification chain. 
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24. (Original) The personal authentication device (PAD) of claim I, wherein the 
PAD is tamper-resistant. 

25. (Currently Amended) The personal authentication device (PAD) of claim [[10]] 
1, wherein the CA public keys and the PAD private key are written into the PAD only once. 

26. (Currently Amended) The personal authentication device (PAD) of claim [[10]] 
1, further comprising: 

a protection mechanism that erases the PAD private key from the at least one storage 
medium when there are unauthorized attempts in reading or modifying the PAD private key. 

27. (Original) The personal authentication device (PAD) of claim 1, wherein at least 
one of the one or more input means is a reading device capable of receiving at least one of 
the one or more digital certificates and user credentials from a storage medium or network 
interface. 

28. (Original) The personal authentication device (PAD) of claim 1, further 
comprising a clock for determining a current date and time. 

29. (Original) The personal authentication device (PAD) of claim 1, further 
comprising one or more timers for determining time that has elapsed since a timer was reset. 

30. (Original) The personal authentication device (PAD) of claim 1, further 
comprising one or more counters for determining a number of times an event has occurred 
since a counter was reset. 

31. (Original) The personal authentication device (PAD) of claim 1, wherein the one 
or more digital certificates further comprise information which may reset clock, timers and 
counters of the PAD. 

32. (Original) The personal authentication device (PAD) of claim 1, wherein the one 
or more digital certificates comprise a content decryption key and content rights that the PAD 
will check before outputting the content decryption key as a service key. 

33. (Original) The personal authentication device (PAD) of claim 32, wherein the 
content rights comprise limits on at least one of the following: content expiration time, 
content usage period, content usage count. 
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34. (Original) The personal authentication device (PAD) of claim 28, wherein the 
processing component comprises at least one component for determining if the current date 
and time is within the validity period of the one or more received digital certificates. 

35. (Previously Presented) The personal authentication device (PAD) of claim 28, 
wherein the processing component comprises at least one component for generating 
timestamps to be included in service keys that the PAD generates. 

36. (Original) The personal authentication device (PAD) of claim 1, further 
comprising a write-once serial number. 

37. (Original) The personal authentication device (PAD) of claim 36, wherein the 
processing component comprises at least one component for generating the at least one 
service key based on the serial number. 

38. (Currently Amended) An authentication method comprising: 

storing on a personal authentication device (PAD) at least one CA public key, each public 
key associated with a certificate authority (CA); 

receiving one or more digital certificates, wherein the one or more digital certificates 
comprise at least one ticket-generation certificate including at least one service key 
generating program or information indicating at least one service key generating program; 

authenticating the one or more received digital certificates using the at least one stored CA 
public key; 

generating at least one service key based on the one or more authenticated digital 
certificates; [[and]] 

outputting the at least one service keyi 

storing on the personal authentication device (PAD) a PAD private key associated with the 
PAD and used by the PAD to authenticate the PAD to a user; 

receiving a PAD authentication request from the user; 

responding to the PAD authentication request using the stored PAD private key; and 
outputting the response to the PAD authentication request . 

39. (Canceled) 

40. (Previously Presented) The method of claim 38, further comprising: 

authenticating the at least one received ticket-generation certificate using the at least one 
CA public key; and 
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if the at least one ticket-generation certificate is authenticated, generating at least one 
service key based on the at least one service key generating program, wherein the at least one 
service key may be used by a user to obtain access to at least one service. 

41 . (Original) The method of claim 38, further comprising: 

receiving a user-identification certificate comprising information uniquely associated with 
a user; 

authenticating the received user-identification certificate based on the at least one CA 
public key; and 

if the user-identification certificate is authenticated, authenticating the user based on the 
authenticated user-identification certificate. 

42. (Original) The method of claim 41, further comprising: 

receiving at least one user-qualification certificates indicating at least one service and one 
or more users who may access the at least one service; 

authenticating the at least one received user-qualification certificate based on the at least 
one CA public key; and 

if the at least one user-qualification certificate is authenticated, determining at least one 
service that the authenticated user may have access to based on the at least one authenticated 
user-qualification certificate. 

43. (Original) The method of claim 38, wherein the at least one service key 
comprises at least one cookie. 

44. (Original) The method of claim 38, further comprising: 
generating a one-time key and storing it on the PAD; 

based on the one-time key, generating the at least one cookie and sending the generated 
cookie to the user; 

receiving the previously generated the at least one cookie, and validating the received 
cookie using the stored one-time key; and 

if the received cookie is successfully validated, invalidating the one-time key used in the 
cookie validation, generating a new one-time key and store it on the PAD, and based on the 
new one-time key, generating a new cookie and sending the new cookie to the user. 

45. (Original) The method of claim 44, wherein the content in the one or more 
cookies comprises usage counts indicating the number of times one or more users have used 
one or more services. 
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46.-47. (Cancelled) 

48. (Currently Amended) The method of claim [[46]] 38, further comprising: 
signing the at least one service key using the stored PAD private key. 

49. (Currently Amended) The method of claim [[46]] 38, further comprising: 

decrypting contents on the one or more received digital certificates using the stored PAD 
private key, wherein the contents are encrypted with the corresponding PAD public key. 

50. (Original) The method of claim 42, further comprising: 

if the authenticated user is determined to have access to the services, authenticating the at 
least one ticket-generation certificate using the at least one CA public key; and 

if the at least one ticket-generation certificate is authenticated, generating at least one 
service key based on the at least one service key generating program, wherein the at least one 
service key may be used by a user to obtain access to at least one service. 

5 1 . (Original) The method of claim 42, further comprising: 

granting the user access to at least one additional service based on the at least one service 
and received digital certificate information. 

52. (Original) The method of claim 41, further comprising: 
receiving one or more received user credentials; and 

authenticating the user based on the authenticated user-identification certificate and the one 
or more user credentials. 

53. (Original) The method of claim 52, wherein the user credentials comprise one or 
more user private keys. 

54. (Original) The method of claim 52, wherein the user credentials comprise a 
personal identification number (PIN) associated with the user, or information computed from 
the PIN. 

55. (Original) The method of claim 52, wherein the user credentials comprise 
biometric information associated with the user. 



56. 



(Original) The method of claim 52, further comprising: 
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disabling the PAD if one or more attempts to authenticate the user based on the 
authenticated user-identification certificate and the one or more user credentials ends in 
failure. 

57. (Original) The method of claim 38, further comprising: 

receiving an operations certificate comprising information for controlling the operations of 
the PAD for a current session. 

58. (Original) The method of claim 57, wherein the information for controlling the 
operations of the PAD for a current session comprises one or more of the following: 
information governing input and output of the PAD, challenge and response protocols for 
user and PAD authentication, secure protocols for receiving and outputting data, and 
protocols for PAD management purposes. 

59. (Original) The method of claim 57, wherein the information for controlling the 
operations of the PAD for a current session comprises information governing linking of one 
or more received certificates, and wherein the method further comprises: 

linking one or more received certificates based on one or more certificates comprising 
information for granting the user access to at least one additional service based on the at least 
one service. 

60. (Original) The method of claim 38, further comprising: 

receiving one or more signature-verification certificates forming a signature-verification 
chain, wherein each signature- verification certificate in the signature-verification chain is 
signed with the private key of an entity whose public key is certified by the preceding 
signature -verification certificate and wherein the first signature-verification certificate in the 
signature -verification chain is signed by at least one stored CA public key; and wherein the 
processing component comprises at least one component for authenticating the one or more 
received digital certificates based on the last signature-verification certificate in the 
signature -verification chain. 

61. (Currently Amended) The method of claim [[46]] 38, further comprising: 

erasing the PAD private key when one or more unauthorized attempts to read or modify 
the PAD private key are detected. 

62. (Original) The method of claim 38, wherein at least one of the one or more 
digital certificates is received from a storage medium or network interface. 
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63. (Original) The method of claim 38, further comprising determining a current date 
and time. 

64. (Original) The method of claim 63, further comprising: 

determining if the current date and time is within the validity period of the one or more 
received digital certificates. 

65. (Original) The method of claim 38, further comprising determining elapsed time 
since a prior event. 

66. (Original) The method of claim 38, further comprising determining the number 
of times an event has occurred since a prior event. 

67. (Original) The method of claim 38, further comprising: 

receiving one or more digital certificates which contain information for resetting current 
date and time, elapsed time, and a number of times an event has occurred. 

68. (Original) The method of claim 67, further comprising: 

resetting clock, timers or counters of the PAD based on information in the one or more 
digital certificates. 

69. (Original) The method of claim 38, further comprising: 

receiving one or more digital certificates which provide a content decryption key and 
content rights; and 

checking the content rights before outputting the content decryption key as a service key. 

70. (Original) The method of claim 69, wherein the content rights comprise limits on 
at least one of the following: content expiration time, content usage period, content usage 
count. 

71 . (Original) The method of claim 63, further comprising: 

generating timestamps based on the current date and time, the timestamps to be included in 
service keys that the PAD generates. 

72. (Original) The method of claim 38, further comprising: 
generating the at least one service key based on a write -once serial number. 
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73. (Original) The method of claim 72, further comprising: 
including the serial number in the at least one service key. 

74. (Previously Presented) The personal authentication device (PAD) of claim 1, 
wherein the at least one ticket generation certificate further indicates a length of the at least 
one service key. 

75. (Previously Presented) The personal authentication device (PAD) of claim 1, 
wherein the at least one ticket generation certificate further indicates a format for outputting 
the at least one service key. 

76. (Previously Presented) The personal authentication device (PAD) of claim 1, 
wherein the information indicating the at least one service key generating program includes 
information of the at least one service key generating program stored on the PAD. 

77. (Previously Presented) The personal authentication device (PAD) of claim 1, 
wherein the information indicating the at least one service key generating program includes 
information of the at least one service key generating program available via the one or more 
input means. 

78. (Previously Presented) The method of claim 38, wherein the at least one ticket 
generation certificate further indicates a length of the at least one service key. 

79. (Previously Presented) The method of claim 38, wherein the at least one ticket 
generation certificate further indicates a format for outputting the at least one service key. 

80. (Previously Presented) The method of claim 38, wherein the information 
indicating the at least one service key generating program includes information of the at least 
one service key generating program stored on the PAD. 

8 1 . (Previously Presented) The method of claim 38, wherein the information 
indicating the at least one service key generating program includes information of the at least 
one service key generating program available via one or more input devices. 



/ELLEN TRAN/ 



Primary Examiner, Art Unit 2433 



